Thursday 14 December 2017

MINDEF to invite 300 hackers to test its cyber defences; New short-term Cyber Specialist scheme for NSFs from 2018

MINDEF Bug Bounty Programme: International and local hackers will try to locate vulnerabilities in its Internet-linked systems
By Lim Min Zhang, The Straits Times, 13 Dec 2017

In a first for the Government, the Ministry of Defence (MINDEF) will be inviting about 300 international and local hackers to hunt for vulnerabilities in its Internet-connected systems next year, in a bid to guard against ever-evolving cyber threats.

From Jan 15 to Feb 4, these selected experts will try to penetrate eight of MINDEF's Internet-facing systems, such as the MINDEF website, the NS Portal and LearNet 2 Portal, a learning resource portal for trainees.

These registered hackers can earn cash rewards - or bounties - of between $150 and $20,000, depending on how critical the flaws discovered are. Called the MINDEF Bug Bounty Programme, it will be the Government's first crowdsourced hacking programme.

This follows an incident earlier this year when MINDEF discovered that hackers had stolen the NRIC numbers, telephone numbers and birth dates of 854 personnel in a breach of its I-Net system.

One of the systems being tested, Defence Mail, uses the I-net system for MINDEF and Singapore Armed Forces (SAF) personnel to connect to the Internet.

Yesterday, the new programme was announced by defence cyber chief David Koh after a visit to the Cyber Defence Test and Evaluation Centre - a cyber "live-firing range" where servicemen train against simulated cyber attacks - at Stagmont Camp in Choa Chu Kang.

On the significance of the "Hack MINDEF" initiative, he told reporters: "The SAF is a highly networked force. How we conduct our military operations depends on networking across the army, navy, air force and the joint staff.

"Every day, we see new cyber attacks launched by malicious actors who are constantly seeking new ways to breach our systems... Clearly, this is a fast-evolving environment and, increasingly, you see that it is one that is of relevance to the defence and security domain."

The bigger picture is that cyberspace is emerging as the next battlefield, said Mr Koh, who is also the deputy secretary for special projects at MINDEF.

"Some countries have begun to recognise cyber as a domain similar to air, land and sea. Some have even gone so far as to say that the next major conflict will see cyber activity as the first activity of a major conflict," he added.

While there will be some risks in inviting hackers to test the systems, such as an increase in website traffic and the chance that these "white-hat" hackers will turn over discovered vulnerabilities to the dark Web, measures will be put in place to guard against this.

White-hat hackers break into protected systems to improve security, while black-hat hackers have nefarious intentions to exploit flaws.

The programme, conducted by US-based bug bounty company HackerOne, is expected to cost about $100,000, depending on the bugs uncovered. But Mr Koh noted that this would be less than the expense of hiring a dedicated vulnerability assessment team, which might cost up to a million dollars.

In a statement, Mr Teo Chin Hock, deputy chief executive for development at the Cyber Security Agency, said the agency is currently in discussions with some of Singapore's 11 designated critical information infrastructure sectors, which have expressed interest in exploring a similar programme for their public-facing systems.

Such bug bounty programmes have been used by large organisations elsewhere, such as Facebook and the United States Department of Defence, with some success.

The initiative caps a year in which Singapore has been gearing up for the battlefront in cyberspace.

In March, it was announced that the Defence Cyber Organisation will be set up to bolster Singapore's cyber defence, with a force of cyber defenders trained to help in this fight.



* Hackers find 35 bugs in first MINDEF bug bounty programme, $19,500 paid out
Two classified as 'high' severity uncovered in ministry's bug bounty programme, now fixed
By Lim Min Zhang, The Straits Times, 22 Feb 2018

Hackers invited to penetrate the Ministry of Defence's systems earlier this year have found 35 valid bugs, including two classified as "high" severity and which have since been fixed.

Of the 264 participating hackers, the top hacker was a Singaporean cyber-security manager at Ernst & Young who took home about one-third of the total bounty paid out.

The total payout for the programme, which took place from Jan 15 to Feb 4 this year, was US$14,750 (S$19,480).

If exploited, the high-severity bugs, found on the NS Portal, could have resulted in certain users being greeted with a defaced webpage, or the names of servicemen might have been compromised.

Of the other valid bugs found, the severity of 10 was considered "medium" and 23 was "low". None was classified as "critical".

All of them have been mitigated, though not all have been remedied. This means the flaws can no longer be exploited, but a proper fix will take a longer time as patches need to be developed and tested before they can be applied.

On the number of bugs found, Mr Koh, who is also deputy secretary for special projects, said: "In my view, it is in the Goldilocks zone - not too big, not too small."

He added: "If it was too small, the success of the programme would be called into question, because one could argue that not enough people took part, they were not good enough, and the systems were not tested robustly.

"If the number was too big, it calls into question our professionalism to begin with."

The top hacker, a 30-year-old who wanted to be known only as Darrel, reported nine valid and unique vulnerabilities, receiving a total bounty of US$5,000.

He spent about two hours a day during the three weeks hunting for vulnerabilities and submitted a total of 16 reports.

Asked how secure MINDEF's systems were, he said: "In general, they are quite secure.

"They could ward off amateur hackers who are just running scanners, automated scans or tools against the website. They have a pretty sensitive firewall that blocks off intrusive attempts aggressively."

Deputy chief executive (development) at the Cyber Security Agency of Singapore, Mr Teo Chin Hock, said in a statement there are many learning points from the ministry's programme, and that companies and organisations which are attractive targets for hackers should consider having a bug bounty programme.

United States-based bug bounty company HackerOne was engaged to manage the programme.

A total payout of US$14,750 was given to 17 hackers. Their rewards ranged from US$250 to US$2,000.

The first report was submitted 83 minutes after the programme's launch. The ministry responded in five hours on average to the hackers' reports.

Hackers based in Singapore totalled 100, while 164 were from HackerOne's network of about 175,000 international hackers, including 57 of the top 100 ranked hackers in HackerOne's network.

They tested eight of the ministry's Internet-facing systems, such as the MINDEF website and LearNet 2 Portal, a learning resource portal for trainees.

The discovery of the bugs does not mean "we have 100 per cent security", said Mr Koh.

"Even if it was 100 per cent on the day the programme ended, something new may come up.

"It is just more secure than when we started."


** MINDEF offers new short-term cyber-specialist scheme for NSFs to boost cyber-security fight

Scheme for NSFs aims to attract those with cyber security expertise
By Lim Min Zhang, The Straits Times, 13 Feb 2018

The Ministry of Defence (MINDEF) will train full-time national servicemen (NSFs) who have an aptitude for cyber security to become elite cyber defenders in the regular service, with a new short-term contract scheme.

From yesterday, any national service pre-enlistee enlisting from the second half of this year onwards, when the pilot scheme starts, can apply for it. If selected, they will serve a total of three or four years in uniform, earning regular service pay after first completing a minimum period as NSFs.

These cyber specialists will take classes under the Singapore Institute of Technology's (SIT) cyber security degree once a week, while deployed in advanced cyber defence roles such as penetration testing, cyber forensics and malware analysis. The classes will earn them academic credits for an SIT degree later.

MINDEF will start with 50 to 70 of these Cyber Specialist Awards for the first year, and 80 to 90 when the trial ends after the first year.

The aim is to attract people with cyber security expertise - an increasing need, given how cyber attacks are getting more frequent, and how skilled individuals with deep expertise make a critical difference in this domain.

The awards come under a new Cyber NSF Scheme, which also includes NSF cyber operators performing more basic roles such as round-the-clock threat monitoring and analysis. There will be about 60 operators a year in this role. Personnel deployed in cyber security roles since last year are also considered operators under this scheme.

The cyber vocation was announced during last March's parliamentary debate on MINDEF's spending plans.

Yesterday, Minister for Education (Higher Education and Skills) and Second Minister for Defence Ong Ye Kung was at the signing of a memorandum of understanding (MOU) between MINDEF and SIT. He said the Cyber NSF Scheme was a marrying of three trends.

"One is the operational requirements of SAF to defend our country better, especially in the area of cyber defence. Two, the rise of a young group that is actually very au fait (well-versed) with cyber defence, and we want to tap and leverage their expertise."

"Three, an evolution in teaching methods in all our institutes of higher learning, where it is not just pure lectures but also hands-on experience at the same time," he said.

The MOU was signed at the SIT campus in Dover Road by Mr David Koh, deputy secretary (special projects) at MINDEF, and Professor Loh Han Tong, SIT's deputy president (academic) and provost.

The collaboration also involves the Cyber Security Agency and SkillsFuture Singapore. The agreement is the first work-learn programme between MINDEF and an educational institute where NSFs can attend academic courses while employed in an operational role.

Mr Koh, who is also defence cyber chief, said: "The proliferation of cyber attacks is a clear sign that cyberspace is the next battlefield, and cyber security is a national imperative."

Applicants will be tested on skills and aptitude in cryptography, security architecture and application security. They will also undergo psychometric tests and complete practical problem-solving scenarios.

The award recipients will get to go for professional certifications such as Sysadmin, Audit, Network and Security (Sans) Institute courses, and could be promoted up to the rank of First Sergeant.

NSFs in the cyber vocation will be deployed in a range of operational roles in four broad areas: cyber security monitoring, threat assessment and response, vulnerability audit and penetration testing, and malware analysis and cyber forensics.


No comments:

Post a Comment